Apple iWatch could replace passwords

One researcher, however, postulates another use for the iWatch: it could render passwords obsolete.

Passwords are of course the notorious weak link when it comes to end users inadvertently letting the hacker barbarians into the castle. A recent study shows that the ever-popular “password1” remains the go-to corporate “protection” byword. But complex or dynamic passwords challenge users to remember them, leading to users scribbling the key down on post-it notes attached to computer screens or in e-mails to themselves – neither of which is particularly secure.

Biometrics and physical security like the old token authentication remain good alternatives, but they are also alternatives that are difficult to implement, particularly on the consumer front. According to Bruce Tognazzini, a human-computer interaction expert, Apple has an opportunity to reinvent credentialing and authentication – and indeed physical mobile secuirty – just as it has mobile phones and computing.

In what he calls one of two killer applications for the iWatch, Tognazzini said it can and should, for most of us, “eliminate passcodes and passwords altogether on iPhones, and Macs and, if Apple’s smart, PCs: As long as my watch is in range, let me in!” he wrote in his blog.

He doesn’t describe the mechanism for how the security would work, but presumably an iWatch app could connect to authenticated devices via Bluetooth or even Wi-Fi and 3G/4G, and once recognized, would open the door.

“Yes, Apple is working on adding fingerprint reading for iDevices, and that’s just wonderful, but it will still take time and trouble for the device to get an accurate read from the user,” Tognazzini said.

He also mentioned that individuals or companies that demand a higher level of security can require both the presence of the watch and a passcode, aka, two-factor authentication. “Even that could be made a lot less onerous, again optionally, if, when at work or within your own house, the security software would be allowed to lift the requirement for the separate passcode, only applying it when you are out and about,” he said.

He noted that there are some pitfalls to be avoided when developing the functionality. Apple must ensure for instance that if a user removes the watch, he or she must reestablish authenticity. “Reauthorizing would be an excellent place for biometrics,” he said. “Otherwise, we’ll have a spate of violent ‘watchjackings,’ replacing the non-violent iPhone-grabs going on today.”

Regardless, password replacement is a must, in Tognazzini’s view – which is saying something considering that he developed the original iPhone interface.

The other killer app for the iWatch is also security-related: a “find iPhone” function, which includes not just the long-distance geo-targeting available today, but also the ability to have an iPhone begin chiming if it’s lost inside the house or a purse. It would offer an automatic alert when a person walks away from the phone – in an effort to prevent leaving it sitting on a table at a restaurant, or in the back of a cab.

“[The] iWatch can and should neatly fix the two most serious problems we have with our current mobile devices, ones we may not even realize we have,” he wrote. “The two killer applications are neither sexy nor fun, but they will make our lives so much more pleasant.”

The iWatch overall will fill a gaping hole in the Apple ecosystem, he said, in which security plays a big role (witness the outrage over the recent iOS 6.1 flaw). Tognazzini muses that an iWatch will facilitate and coordinate not only the activities of all the other computers and devices we use, but a wide array of devices to come – with credentialing being a critical piece.

If the watch did nothing but release me from having to enter my passcode/password 10 to 20 times a day, I would buy it,” Tognazzini said. “If the watch would just free me from having to enter passcodes, I would buy it even if it couldn’t tell the right time.”

What’s Hot on Infosecurity Magazine?